about summary refs log tree commit diff stats
path: root/core/sysctl.html
blob: 3b1d492e36ce282202394018854eb47b1fd51ffb (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.6.2. Sysctl</title>
    </head>
    <body>

        <a href="index.html">Core OS Index</a>

        <h1 id="sysctl">2.6.2. Sysctl</h1>

        <p>Sysctl references
        <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
        <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>.</p>

        <pre>
        #
        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
        #

        kernel.printk = 7 1 1 4

        kernel.randomize_va_space = 2

        # Shared Memory
        #kernel.shmmax = 500000000
        # Total allocated file handlers that can be allocated
        # fs.file-nr=
        vm.mmap_min_addr=65536

        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
        kernel.pid_max = 65536

        #Yama LSM by default
        kernel.yama.ptrace_scope = 1

        #
        # Filesystem Protections
        #

        # Optimization for port usefor LBs
        # Increase system file descriptor limit
        fs.file-max = 65535

        # Hide symbol addresses in /proc/kallsyms
        kernel.kptr_restrict = 2

        #
        # Network Protections
        #

        net.core.bpf_jit_enable = 0

        # Increase Linux auto tuning TCP buffer limits
        # min, default, and max number of bytes to use
        # set max to at least 4MB, or higher if you use very high BDP paths
        # Tcp Windows etc
        net.core.rmem_max = 8388608
        net.core.wmem_max = 8388608
        net.core.netdev_max_backlog = 5000
        net.ipv4.tcp_window_scaling = 1

        #A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
        net.ipv4.tcp_sack = 0

        # Both ports linux-blob and linux-libre don't build with ipv6
        # Disable ipv6
        net.ipv6.conf.all.disable_ipv6 = 1
        net.ipv6.conf.default.disable_ipv6 = 1
        net.ipv6.conf.lo.disable_ipv6 = 1

        # Tuen IPv6
        #net.ipv6.conf.default.router_solicitations = 0
        #net.ipv6.conf.default.accept_ra_rtr_pref = 0
        #net.ipv6.conf.default.accept_ra_pinfo = 0
        #net.ipv6.conf.default.accept_ra_defrtr = 0
        #net.ipv6.conf.default.autoconf = 0
        #net.ipv6.conf.default.dad_transmits = 0
        #net.ipv6.conf.default.max_addresses = 0

        # Avoid a smurf attack, ping scanning
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        # Turn on protection for bad icmp error messages
        net.ipv4.icmp_ignore_bogus_error_responses = 1

        # Turn on syncookies for SYN flood attack protection
        net.ipv4.tcp_syncookies = 1

        ## protect against tcp time-wait assassination hazards
        ## drop RST packets for sockets in the time-wait state
        ## (not widely supported outside of linux, but conforms to RFC)
        net.ipv4.tcp_rfc1337 = 1

        ## tcp timestamps
        ## + protect against wrapping sequence numbers (at gigabit speeds)
        ## + round trip time calculation implemented in TCP
        ## - causes extra overhead and allows uptime detection by scanners like nmap
        ## enable @ gigabit speeds
        net.ipv4.tcp_timestamps = 0
        #net.ipv4.tcp_timestamps = 1

        # Turn on and log spoofed, source routed, and redirect packets
        net.ipv4.conf.all.log_martians = 1
        net.ipv4.conf.default.log_martians = 1

        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        ## sets the kernels reverse path filtering mechanism to value 1(on)
        ## will do source validation of the packet's recieved from all the interfaces on the machine
        ## protects from attackers that are using ip spoofing methods to do harm
        net.ipv4.conf.all.rp_filter = 1
        net.ipv4.conf.default.rp_filter = 1
        #net.ipv6.conf.default.rp_filter = 1
        #net.ipv6.conf.all.rp_filter = 1


        # Make sure no one can alter the routing tables
        # Act as a router, necessary for Access Point
        net.ipv4.conf.all.accept_redirects = 0
        net.ipv4.conf.default.accept_redirects = 0
        net.ipv4.conf.all.secure_redirects = 0
        net.ipv4.conf.default.secure_redirects = 0
        # No source routed packets here
        # Discard packets with source routes, ip spoofing
        net.ipv4.conf.all.accept_source_route = 0
        net.ipv4.conf.default.accept_source_route = 0


        net.ipv4.conf.all.send_redirects = 0
        net.ipv4.conf.default.send_redirects = 0

        net.ipv4.ip_forward = 0

        # Increase system IP port limits
        net.ipv4.ip_local_port_range = 2000 65000

        # Increase TCP max buffer size setable using setsockopt()
        net.ipv4.tcp_rmem = 4096 87380 8388608
        net.ipv4.tcp_wmem = 4096 87380 8388608

        # Disable proxy_arp
        net.ipv4.conf.default.proxy_arp = 0
        net.ipv4.conf.all.proxy_arp = 0

        # Disable bootp_relay
        net.ipv4.conf.default.bootp_relay = 0
        net.ipv4.conf.all.bootp_relay = 0

        # Decrease TCP fin timeout
        net.ipv4.tcp_fin_timeout = 30
        # Decrease TCP keep alive time
        net.ipv4.tcp_keepalive_time = 1800
        # Sen SynAck retries to 3
        net.ipv4.tcp_synack_retries = 3

        # End of file
        </pre>

        <p>Reload sysctl settings;</p>

        <pre>
        # sysctl --system
        </pre>

        <a href="index.html">Core OS Index</a>
        <p>This is part of the Tribu System Documentation.
        Copyright (C) 2020
        Tribu Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>

    </body>
</html>